System and Method for Initial Key Establishment Using a Split Knowledge Protocol

1. A method for establishing an initial key for use in authenticating a new computer to an existing computer operatively connected in a cluster, comprising: generating a bit sequence on the existing computer; splitting the bit sequence into a predetermined number of segments at the existing computer; encrypting one or more of the segments with an associated key at the existing computer, wherein encrypting the one or more segments comprises encrypting at least one of the one or more segments with a second associated key that is different than the associated key; transmitting the encrypted segments to the new computer; decrypting the encrypted segments using the associated key at the new computer; and recovering the bit sequence from the decrypted segments to establish the initial key.

2. The method of claim 1 further comprising associating the associated key with a recovery card of the cluster.

3. The method of claim 2 further comprising associating the recovery card with a recovery officer of the existing computer.

4. The method of claim 1 wherein at least one of the new and existing computers comprises a security appliance.

5. The method of claim 1 further comprising generating a secure session between the new and existing computers using the initial key as a shared secret.

6. The method of claim 1 wherein the associated key is generated from a recovery domain key.

7. The method of claim 2 wherein the predetermined number of segments equals a quorum associated with the recovery card of a plurality of recovery cards of the cluster.

8. The method of claim 1 further comprising transmitting a request to approve an operation from the new computer to the existing computer.

9. The method of claim 8 wherein the request comprises an identification of a number of recovery officers of the existing computer required to approve the operation.

10. The method of claim 9 wherein the predetermined number of segments equal the number of recovery officers approving the operation.

11. The method of claim 8 wherein the operation comprises associating the new computer with the existing computer in the cluster.

12. The method of claim 1 wherein recovering the bit sequence comprises exclusive ORing each of the predetermined number of segments together.

13. A system configured to establish an initial key in a clustered environment, comprising: a second computer configured to operatively connect with a first computer in the clustered environment; the first computer configured to receive a request from the second computer, and in response, generate a bit sequence, split the bit sequence into a predetermined number of segments, encrypt one or more of the segments with a recovery key associated with at least one recovery card of a plurality of recovery cards of the clustered environment, and transmit the encrypted segments to the first computer, wherein the first computer is further configured to encrypt at least one of the one or more segments with a second associated key that is different than the associated key; and the second computer further configured to decrypt the encrypted segments using the recovery key and further configured to recover the bit sequence from the decrypted segments.

14. The system of claim 13 wherein at least one of the first and second computers comprises a security appliance.

15. The system of claim 13 wherein the request comprises an identification of a number of recovery officers of the first computer required to approve an operation.

16. The system of claim 15 wherein the predetermined number of segments equal the number of recovery officers required to approve the operation.

17. The system of claim 16 wherein the operation comprises associating the second computer with the first computer in the clustered environment.

18. The system of claim 13 wherein the second computer is configured to recover the bit sequence by exclusive ORing of the segments together.

19. The system of claim 13 wherein the first and second computers are further configured to generate a secure session between the first and second computers using the initial key as a shared secret.

20. The system of claim 13 wherein the second computer is further configured to receive the at least one recovery card to decrypt the encrypted segments.